Our experience of GDPR

The GDPR is coming, scaremongers have been amongst those constantly reminding us of this.

I decided to share some of my experiences and thoughts on GDPR with our Brokers as some of them may help you to understand what needs to be done.

I am not a compliance consultant and this is not a compliant article – it’s just me sharing what I have done for our business to ensure we will be GDPR compliant. I hope it may help some of you.

Reading

Reading, yes I have read a lot. I decided I wanted to understand the GDPR for myself and not be reliant on our compliance consultant or anyone else for getting it right.

The key documents I found useful were:

  • ICO Consultation Paper: GDPR consent guidance
  • ICO Paper: Privacy notices, transparency and control
  • ICO Paper: Overview of the GDPR
  • ICO Paper: Preparing for the GDPR 12 steps to take now
  • Official Journal of the European Union dated 27/04/16
  • Article 29 Data Protection Working Party 13/12/16

Oddly, the actual regulations from the EU were really helpful.

So, from this reading I realised one thing – the statement being branded about “if you are compliant with the DPA you will be fine and have little to do” is inaccurate. It was a myth I am glad I dispelled for myself.

Action points

I went on and created a checklist of things to review and to look at or create.

These were:

  • Create an Information Asset Register
  • Create Data Flow Mapping / Records of Processing Activity
  • Not Required for us: Privacy Impact Assessment or a Data Protection Officer (because we do not have over 250 staff)
  • Appoint a Data Controller under new GDPR guidelines
  • Create a new GDPR compliant Privacy Notice / Policy
  • Review offline & online consent
  • Create new GDPR compliant offline & online consent requests
  • Create new GDPR Policy to replace our current Data Protection Policy
  • Review Data Retention periods and current FCA requirements
  • Decide what we don’t need consent for and apply correct exception law / rules from GDPR guidelines
  • Consider staff training requirements for GDPR
  • Review current retail TOBA

Results

Now I have been carefully working through these and now have GDPR compliant versions of:

  • Information Asset Register
  • Data Flow Mapping / Records of Processing Activity
  • Privacy Notice / Policy
  • Online & Offline consent (currently just finalising this document and changes)

I am more than happy to share these with our Brokers so feel free to email me your request. They may help you, they may not!

What’s next?

Well, I am now working on the final phase of the new GDPR online and offset consent changes for GDPR and looking at our TOBA changes. I am confident we are already GFPR compliant which is great – but it has taken a lot of hard work.

Don’t leave this project until May 2018 because what is fundamentally different is that you have to have evidence in place now to show you are compliant – after the event or when you get a request from the ICO is not going to cut it. The ICO may well look to fine companies who are unable to show compliance and we are very likely be on their radar as an industry.

It continues to be a very interesting project with lots of work still to be completed.

About the Author Richard Burgess

Richard Burgess is a Director at ABACUS.

follow me on:

Popular posts